Preface: The proof of concept for this vulnerability has been announced. As usual, vendors use their patch release cycle. Therefore, an announcement was issued today (June 8, 2021).
Background: SAP NetWeaver is a software stack for many of SAP SE’s applications. It can be used for custom development and integration with other applications and systems, and is built primarily using the ABAP programming language, but also uses C, C++, and Java.
Vulnerability details: [CVE-2021-27610] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform Product – SAP NetWeaver AS ABAP and ABAP Platform Versions – 700,701,702,731,740,750,751,752,753,754,755,804.
An ABAP server could not 100% correctly identify, if communication via RFC (TCP 3300-3399) or HTTP (8000) is between the application servers of the same SAP system or with servers outside the same system.
For official details, please refer to the URL – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999